Gpac Mp4box
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Gpac Mp4box.
By the Year
In 2026 there have been 34 vulnerabilities in Gpac Mp4box with an average score of 6.0 out of ten. Mp4box did not have any published security vulnerabilities last year. That is, 34 more vulnerabilities have already been reported in 2026 as compared to last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 34 | 5.97 |
| 2025 | 0 | 0.00 |
| 2024 | 1 | 5.50 |
| 2023 | 15 | 7.60 |
| 2022 | 2 | 7.65 |
| 2021 | 3 | 7.50 |
It may take a day or so for new Mp4box vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Gpac Mp4box Security Vulnerabilities
Use-After-Free causing DoS in MP4Box before 26.02.0 via crafted MPEG-2 TS
CVE-2025-60464
7.8 - High
- June 25, 2026
A use-after-free in the gf_sei_load_from_state_internal function (/filters/sei_load.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MPEG-2 TS file.
Dangling pointer
GPAC MP4Box < v26.02.0 UF in gf_filter_pid_inst_swap causing DoS
CVE-2025-60465
6.1 - Medium
- June 25, 2026
A use-after-free in the gf_filter_pid_inst_swap function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file.
Dangling pointer
Use-after-free in gf_filter_pid_get_packet (MP4Box <26.02.0) leads to DoS
CVE-2025-60466
5 - Medium
- June 24, 2026
A use-after-free in the gf_filter_pid_get_packet function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file.
Dangling pointer
Use-After-Free in MP4Box <26.02.0 Causing DoS via Crafted Media
CVE-2025-60467
7.5 - High
- June 24, 2026
A use-after-free in the gf_filter_pid_inst_swap_delete_task function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file.
Dangling pointer
GPAC MP4Box <2.5DEV> UseAfterFree via PID Swap/Delete (buffer overflow)
CVE-2025-60468
5.5 - Medium
- June 24, 2026
GPAC Multimedia Open Source Project GPAC Project/MP4Box 2.5-DEV-rev1593-gfe88c3545-master is affected by: Buffer Overflow. The impact is: cause a denial of service (local). The component is: filter_core/filter_pid.c (L:574-580): function gf_filter_pid_inst_swap_delete_task() improperly accesses freed objects during PID instance swap/delete cleanup, leading to heap use-after-free. The attack vector is: Local (AV:L): a local, authenticated user who processes a specially crafted MPEG-2 TS/MP4 file with MP4Box can trigger the bug during filter teardown (PID instance swap/delete), causing a crash. ¶¶ In GPAC s MP4Box, gf_filter_pid_inst_swap_delete_task() in filter_core/filter_pid.c may dereference objects after they have been freed when cleaning up PID instances after a swap/delete operation. Crafted inputs (e.g., malformed MPEG-2 TS) can trigger a heap use-after-free and crash; exploitation may be possible.
Heap-based Buffer Overflow
GPAC MP4Box DoS via useafterfree before 26.02.0
CVE-2025-60471
5.5 - Medium
- June 24, 2026
A use-after-free in the gf_filter_pid_reconfigure_task_discard function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file.
Dangling pointer
MP4Box <26.02: NULL Pointer Deref in gf_filter_in_parent_chain Leads to DoS
CVE-2025-60473
5.5 - Medium
- June 24, 2026
A NULL pointer dereference in the gf_filter_in_parent_chain function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted file.
NULL Pointer Dereference
GPAC MP4Box <26.02.0 Buffer Overflow in gf_media_import Causes DoS
CVE-2025-60474
7.5 - High
- June 24, 2026
A buffer overflow in the gf_media_import function (/media_tools/av_parsers.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted input.
Stack Overflow
GPAC MP4Box v2.4 NULL Ptr Deref DoS via crafted MP4
CVE-2025-55639
6.5 - Medium
- June 23, 2026
GPAC MP4Box v2.4 was discovered to contain a NULL pointer dereference in the gf_isom_add_track_kind() function at isomedia/isom_write.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
NULL Pointer Dereference
Heap Buffer Overflow in GPAC MP4Box v2.4 (gf_cenc_set_pssh) Enables DoS
CVE-2025-55645
5.5 - Medium
- June 15, 2026
A heap buffer overflow in the gf_cenc_set_pssh function (isomedia/drm_sample.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
Heap-based Buffer Overflow
GPAC MP4Box v2.4 DoS via Segfault in Track_SetStreamDescriptor
CVE-2025-55663
5.5 - Medium
- June 15, 2026
A segmentation violation in the Track_SetStreamDescriptor function (isomedia/track.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
NULL Pointer Dereference
Heap buffer overflow in GPAC MP4Box 2.4 Opus parser causes DoS
CVE-2025-55661
5.5 - Medium
- June 15, 2026
A heap buffer overflow in the Opus audio stream parser component of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
Heap-based Buffer Overflow
GPAC MP4Box v2.4 DOS via gf_opus_read_length stack overflow
CVE-2025-55660
5.5 - Medium
- June 15, 2026
A stack overflow in the gf_opus_read_length function (media_tools/av_parsers.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
Stack Overflow
GPAC MP4Box v2.4 Heap Buffer Overflow in gf_isom_vp_config_new
CVE-2025-55652
5.5 - Medium
- June 15, 2026
A heap buffer overflow in the gf_isom_vp_config_new function (isomedia/avc_ext.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
Heap-based Buffer Overflow
GPAC MP4Box v2.4 Heap UAF in gf_node_get_tag Causes DoS
CVE-2025-55650
5.5 - Medium
- June 15, 2026
A heap use-after-free in the gf_node_get_tag function (scenegraph/base_scenegraph.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
Dangling pointer
GPAC MP4Box v2.4 DoS via NULL ptr in gf_media_map_esd
CVE-2025-55649
5.5 - Medium
- June 15, 2026
A NULL pointer dereference in the gf_media_map_esd function (media_tools/isom_tools.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
NULL Pointer Dereference
GPAC MP4Box v2.4 Heap Buffer Overflow in gf_opus_parse_packet_header DoS
CVE-2025-55648
5.5 - Medium
- June 15, 2026
A heap buffer overflow in the gf_opus_parse_packet_header function (media_tools/av_parsers.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
Heap-based Buffer Overflow
GPAC MP4Box OOM via mp4_mux_cenc_insert_pssh (v2.4) DoS
CVE-2025-55647
5.5 - Medium
- June 15, 2026
An Out-of-Memory in the mp4_mux_cenc_insert_pssh function (filters/mux_isom.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
Integer Overflow or Wraparound
GPAC MP4Box v2.4 Heap UAF in gf_node_get_tag allows DoS
CVE-2025-55644
5.5 - Medium
- June 15, 2026
A heap use-after-free in the gf_node_get_tag function (scenegraph/base_scenegraph.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
Dangling pointer
GPAC MP4Box v2.4 NULL PTR DEREF DoS via crafted MP4 (TrackWriter)
CVE-2025-55643
5.5 - Medium
- June 15, 2026
A NULL pointer dereference in the TrackWriter handling component (filters/mux_isom.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
NULL Pointer Dereference
GPAC MP4Box v2.4 FP Exception in avidmx_process
CVE-2025-55642
6.5 - Medium
- June 15, 2026
GPAC MP4Box v2.4 was discovered to contain a floating point exception in the avidmx_process function (isomedia/isom_write.c).
Divide By Zero
GPAC MP4Box v2.4 DoS via NULL deref in gf_isom_copy_sample_info
CVE-2025-55641
5.5 - Medium
- June 15, 2026
A NULL pointer dereference in the gf_isom_copy_sample_info function (isomedia/isom_write.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
NULL Pointer Dereference
GPAC MP4Box v2.4 NULL PTR DoS via Crafted MP4 (ctts_box_write)
CVE-2025-55659
6.5 - Medium
- June 09, 2026
A NULL pointer dereference in the ctts_box_write function (isomedia/box_code_base.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
NULL Pointer Dereference
GPAC MP4Box v2.4 Stack Buffer Overflow (DoS)
CVE-2025-52292
7.5 - High
- June 09, 2026
A stack buffer overflow in the filein_process function (in_file.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
Stack Overflow
Segmentation Fault in GPAC MP4Box v2.4 Fails via HEVC SPS causing DoS
CVE-2025-52293
7.5 - High
- June 09, 2026
A segmentation violaton in the gf_hevc_read_sps_bs_internal function (media_tools/av_parsers.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying crafted HEVC SPS data.
Resource Exhaustion
GPAC MP4Box v2.4 NULL pointer in gf_isom_get_user_data_count causes DoS
CVE-2025-55651
5.5 - Medium
- June 09, 2026
A NULL pointer dereference in the gf_isom_get_user_data_count function (isomedia/isom_read.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
NULL Pointer Dereference
GPAC MP4Box v2.4 NULL ptr deref in gf_odf_vvc_cfg_write_bs causes DoS
CVE-2025-55657
7.5 - High
- June 09, 2026
A NULL pointer dereference in the gf_odf_vvc_cfg_write_bs function (odf/descriptors.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
NULL Pointer Dereference
GPAC MP4Box v2.4 FP Exception DoS via gf_opus_parse_packet_header
CVE-2025-55658
6.5 - Medium
- June 09, 2026
GPAC MP4Box v2.4 was discovered to contain a floating point exception in the gf_opus_parse_packet_header function (media_tools/av_parsers.c). bThis vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
Floating Point Comparison with Incorrect Operator
GPAC MP4Box <=26.02.0 NULL Ptr Deref DoS via gf_filter_pid_resolve_file
CVE-2025-60477
5 - Medium
- June 03, 2026
A NULL pointer dereference in the gf_filter_pid_resolve_file_template_ex function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted file.
NULL Pointer Dereference
GPAC MP4Box v2.4 DoS via heap overflow in m2tsdmx_send_packet
CVE-2025-55664
5.5 - Medium
- June 01, 2026
A heap buffer overflow in the m2tsdmx_send_packet function (filters/dmx_m2ts.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
Heap-based Buffer Overflow
GPAC MP4Box NULL Deref in gf_odf_ac4_cfg_dsi_v1 (26.02.0) DoS
CVE-2025-60481
5.5 - Medium
- June 01, 2026
A NULL pointer dereference in the gf_odf_ac4_cfg_dsi_v1 function (/odf/descriptors.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted AC4 file.
NULL Pointer Dereference
GPAC MP4Box <26.02.0 Segfault in gf_isom_apple_set_tag_ex(DOS)
CVE-2025-60485
5.5 - Medium
- June 01, 2026
A segmentation violation in the gf_isom_apple_set_tag_ex function (/isomedia/isom_write.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
NULL Pointer Dereference
GPAC MP4Box DoS via Heap UAF in dasher_process before 26.02.0
CVE-2025-60486
5.5 - Medium
- June 01, 2026
A heap use-after-free in the dasher_process function (/filters/dasher.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MPEG-2 file.
Dangling pointer
GPAC MP4Box <26.02.0 DoS via gf_media_get_color_info segfault
CVE-2025-60495
5.5 - Medium
- June 01, 2026
A segmentation violation in the gf_media_get_color_info function (/media_tools/isom_tools.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted data file.
NULL Pointer Dereference
GPAC MP4Box Null Ptr Deref in m2tsdmx_on_event (v 2.5-DEV)
CVE-2024-6063
5.5 - Medium
- June 17, 2024
A vulnerability was found in GPAC 2.5-DEV-rev228-g11067ea92-master. It has been classified as problematic. This affects the function m2tsdmx_on_event of the file src/filters/dmx_m2ts.c of the component MP4Box. The manipulation leads to null pointer dereference. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The patch is named 8767ed0a77c4b02287db3723e92c2169f67c85d5. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-268791.
NULL Pointer Dereference
GPAC MP4Box Buffer Overflow in eac3_update_channels
CVE-2022-47653
7.8 - High
- January 05, 2023
GPAC MP4box 2.1-DEV-rev593-g007bf61a0 is vulnerable to Buffer Overflow in eac3_update_channels function of media_tools/av_parsers.c:9113
Classic Buffer Overflow
Buffer Overflow in GPAC MP4box 2.1DEV h263dmx_process filter
CVE-2022-47663
7.8 - High
- January 05, 2023
GPAC MP4box 2.1-DEV-rev649-ga8f438d20 is vulnerable to buffer overflow in h263dmx_process filters/reframe_h263.c:609
Classic Buffer Overflow
GPAC MP4Box 2.1-DEV: stack overflow via infinite Media_GetSample recursion
CVE-2022-47662
5.5 - Medium
- January 05, 2023
GPAC MP4Box 2.1-DEV-rev649-ga8f438d20 has a segment fault (/stack overflow) due to infinite recursion in Media_GetSample isomedia/media.c:662
Stack Exhaustion
GPAC MP4Box 2.1-DEV Buffer Overflow in av_parsers.c
CVE-2022-47661
7.8 - High
- January 05, 2023
GPAC MP4Box 2.1-DEV-rev649-ga8f438d20 is vulnerable to Buffer Overflow via media_tools/av_parsers.c:4988 in gf_media_nalu_add_emulation_bytes
Memory Corruption
GPAC MP4Box 2.1 integer overflow in isom_write.c
CVE-2022-47660
7.8 - High
- January 05, 2023
GPAC MP4Box 2.1-DEV-rev644-g5c4df2a67 is has an integer overflow in isomedia/isom_write.c
Integer Overflow or Wraparound
GPAC MP4box 2.1-DEV Buffer Overflow in gf_bs_read_data
CVE-2022-47659
7.8 - High
- January 05, 2023
GPAC MP4box 2.1-DEV-rev644-g5c4df2a67 is vulnerable to Buffer Overflow in gf_bs_read_data
Memory Corruption
GPAC MP4Box 2.1-DEV Buffer Overflow in gf_hevc_read_vps_bs_internal
CVE-2022-47658
7.8 - High
- January 05, 2023
GPAC MP4Box 2.1-DEV-rev644-g5c4df2a67 is vulnerable to buffer overflow in function gf_hevc_read_vps_bs_internal of media_tools/av_parsers.c:8039
Classic Buffer Overflow
GPAC MP4Box pre-2.1 buffer overflow in hevc_parse_vps_extension
CVE-2022-47657
7.8 - High
- January 05, 2023
GPAC MP4Box 2.1-DEV-rev644-g5c4df2a67 is vulnerable to buffer overflow in function hevc_parse_vps_extension of media_tools/av_parsers.c:7662
Classic Buffer Overflow
GPAC MP4box Buffer Overflow in gf_hevc_read_sps_bs_internal (dev 2.1)
CVE-2022-47656
7.8 - High
- January 05, 2023
GPAC MP4box 2.1-DEV-rev617-g85ce76efd is vulnerable to Buffer Overflow in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8273
Classic Buffer Overflow
Buffer Overflow in GPAC MP4box 2.1 GF_HEVC_READ (av_parsers.c)
CVE-2022-47654
7.8 - High
- January 05, 2023
GPAC MP4box 2.1-DEV-rev593-g007bf61a0 is vulnerable to Buffer Overflow in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8261
Classic Buffer Overflow
GPAC MP4box 2.1-DEV Buffer Overflow in hevc_parse_vps_extension
CVE-2022-47095
7.8 - High
- January 05, 2023
GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer overflow in hevc_parse_vps_extension function of media_tools/av_parsers.c
Classic Buffer Overflow
Null Ptr Deref in GPAC MP4box 2.1 via m2tsdmx_declare_pid
CVE-2022-47094
7.8 - High
- January 05, 2023
GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Null pointer dereference via filters/dmx_m2ts.c:343 in m2tsdmx_declare_pid
NULL Pointer Dereference
GPAC MP4Box <=2.1-DEV heap UAF via m2tsdmx_declare_pid
CVE-2022-47093
7.8 - High
- January 05, 2023
GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to heap use-after-free via filters/dmx_m2ts.c:470 in m2tsdmx_declare_pid
Dangling pointer
Integer overflow in GPAC MP4Box 2.1-DEV: gf_hevc_read_sps_bs_internal
CVE-2022-47092
7.1 - High
- January 05, 2023
GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is contains an Integer overflow vulnerability in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8316
Integer Overflow or Wraparound
GPAC MP4Box 2.1-DEV Buffer Overflow in gf_vvc_read_sps_bs_internal
CVE-2022-47089
7.8 - High
- January 05, 2023
GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer Overflow via gf_vvc_read_sps_bs_internal function of media_tools/av_parsers.c
Classic Buffer Overflow
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Gpac Mp4box or by Gpac? Click the Watch button to subscribe.
